Discussion:
[Samba] can't connect ldapsearch with samba 4
Trenta sis
2016-06-17 14:20:21 UTC
Permalink
Hi,

I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.

command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"

I have tested authentication with ssl from an external application and work
OK and seems correctly configured

I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...

how can I query samba 4 AD ldap with ldapsearch?


Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mj
2016-06-18 10:11:26 UTC
Permalink
Hi
Post by Trenta sis
how can I query samba 4 AD ldap with ldapsearch?
Just don't use ldaps://, instead use Kerberos (-k yes):

kinit administrator
ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes

I know it seems strange, but direct encryption with Kerberos is more
secure than LDAP over SSL/TLS. Therefore, we only accept simple binds
over ldaps:// by default, or:

ldap server require strong auth = no

Hope that helps,
MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Trenta sis
2016-06-19 16:55:10 UTC
Permalink
Hi,

First of all thans for you answer.

I have tried but is not working, we receive:

# kinit administrator
Password for ***@DOM.COM:
Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12
PM CEST

# ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null)
Failed to connect to ldap://debian8DC1 - (null)

It is possible to keep same or similar configuration used with samba 3 +
openldap to make querys to ldap, we have many scripts using ldapsearch...
It is possible keep scripts using ldapsearch?

Thanks
Post by Trenta sis
Hi,
I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"
I have tested authentication with ssl from an external application and
work OK and seems correctly configured
I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...
how can I query samba 4 AD ldap with ldapsearch?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-06-19 17:37:48 UTC
Permalink
On my side i neede

TLS_REQCERT allow

in /etc/ldap.conf to get ldaps working.

To use unencrypted connections add

ldap server require strong auth = no

To the global section of smb.conf.

achim~
Post by Trenta sis
Hi,
First of all thans for you answer.
# kinit administrator
Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12
PM CEST
# ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null)
Failed to connect to ldap://debian8DC1 - (null)
It is possible to keep same or similar configuration used with samba 3 +
openldap to make querys to ldap, we have many scripts using ldapsearch...
It is possible keep scripts using ldapsearch?
Thanks
Post by Trenta sis
Hi,
I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"
I have tested authentication with ssl from an external application and
work OK and seems correctly configured
I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...
how can I query samba 4 AD ldap with ldapsearch?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Trenta sis
2016-06-20 16:08:58 UTC
Permalink
Hi,
solved only making this changes :
in /etc/ldap/ldap.conf
add
TLS_CACERT /etc/ldap/ca.pem.crt

sample query with ldaps
# ldapsearch -H ldaps://server -x -LLL -z 0 -D
"CN=user,CN=Users,DC=domain,DC=com" -w "p" -b "CN=Users,DC=domain,DC=com"


Solved!

Thanks
Post by Trenta sis
Hi,
First of all thans for you answer.
# kinit administrator
Warning: Your password will expire in 33 days on Fri 22 Jul 2016 07:52:12
PM CEST
# ldbsearch -H ldap://debian8DC1 "cb=administrator" -k yes
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://debian8DC1' with backend 'ldap': (null)
Failed to connect to ldap://debian8DC1 - (null)
It is possible to keep same or similar configuration used with samba 3 +
openldap to make querys to ldap, we have many scripts using ldapsearch...
It is possible keep scripts using ldapsearch?
Thanks
Post by Trenta sis
Hi,
I'm trying to migrate samba 3 NT domain to samba 4 AD, we have migrated
data and it seems correct, but now we need to connect with ldapsearch but
always receive errors like
ldap_bind: Strong(er) authentication required (8)
additional info: BindSimple: Transport encryption required.
command used is
/usr/bin/ldapsearch -H ldap://server -x -LLL -z 0 -D
"uid=user,ou=Users,dc=domain,dc=com" -w "pwd" -b "ou=Users,dc=domain,dc=com"
I have tested authentication with ssl from an external application and
work OK and seems correctly configured
I have tried to run ldapsearch with ssl and without but always receive
errors. Using ldapadmin client I can connect with gssapi with port 389, but
with ldapsearch I can't work...
how can I query samba 4 AD ldap with ldapsearch?
Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...